Fraud Best Practices

This resource is written for embedded banking and fintech companies who work directly with our growing network of banks. In this guide, we’ll be talking to you as a fintech about fraud—what it is, what are best practices to prevent it, and what tools we offer to help.

It is worth noting that not everything in this guide may be necessary or pertinent to your immediate needs but may be worth referencing again in the future as your business grows. There is also no way to ensure it is all inclusive of every scenario you may encounter. Remember it is informational only and not intended to be relied upon as legal advice for your business.

We will often refer to “fintechs” or financial technology companies in this guide. Please note that “fintech” can also mean other organizations or enterprises looking for embedded banking solutions that aren’t necessarily working in the financial technology space.

Overview

When your company offers banking products and services in collaboration with a bank partner using a software technology provider like Treasury Prime, it is important to understand the various roles and responsibilities as they relate to end customer behavior and overall fraud. While the bank is the regulated financial institution and ultimately the entity that is subject to regulatory oversight, the respective bank partner will often hold your company liable for any fraud or losses related to end customer transactions. This may include scenarios where a customer overdraws an account through a payment rail like ACH or wire and also may include larger, coordinated fraud attacks through a debit card program.

As the party liable for fraud losses and disputes, it is crucial to understand the prevalent types of business fraud and implement effective prevention measures to protect your company's interests. Here, we will provide an overview of three well-known types of business fraud: first party fraud, third party fraud, and force capture or overcapture fraud—along with strategies to prevent them.

While there are active steps you can take to mitigate fraud, you should know that it is an impossible endeavor to eliminate fraud completely given the nature of financial services and products.

Types of Fraud

First Party Fraud

First party fraud occurs when an individual or entity intentionally provides false information or misrepresents their financial situation to obtain financial benefits. It can result in substantial financial losses and damage to your reputation. Here is an example using ACH debit:

Example

An account is opened at Bank X by a bad actor using a compromised or false identity.

The bad actor then uses the new account to initiate a $2,500 ACH debit from Bank X to pull funds from another account they have at Bank Y.

As soon as the funds are available at Bank X, they immediately spend or transfer the $2,500.

Next the bad actor tells Bank Y that the ACH debit wasn’t authorized which initiates a return, leaving Bank X with a negative balance.

First Party Fraud Prevention Tools

Implement robust identity verification processes, such as verifying customer identities using multiple reliable data sources, conducting thorough background checks, and employing biometric authentication methods.
Utilize advanced analytics and machine learning algorithms to detect suspicious patterns or anomalies in customer behavior, transactions, or account activities at the time of customer onboarding.
Apply proactive controls including transaction limits for end customers and product level controls.
Conduct comprehensive risk assessments to identify potential vulnerabilities and develop mitigation strategies accordingly.
Educate employees about common fraud indicators and provide regular training sessions to enhance their ability to detect and report suspicious activities promptly.
Employ a proactive approach by monitoring customer accounts for signs of unauthorized activity and promptly investigating and resolving any identified fraudulent behavior.

Third Party Fraud

Third party fraud involves external individuals or organizations attempting to defraud financial institutions by exploiting vulnerabilities in their systems or processes. Again, the same ACH debit example but with the third party differences in bold:

Example

An account is opened at Bank X by a bad actor using a compromised or false identity.

The bad actor then initiates a $2,500 ACH debit from Bank X to pull funds from a Bank Y account that they don’t own using account details (routing number, account number, etc.).

As soon as the funds are available at Bank X, they immediately spend or transfer the $2,500.

The account holder at Bank Y notifies the bank that the ACH debit wasn’t authorized which initiates a return, leaving Bank X with a negative balance.

Third Party Fraud Prevention Tools

Strengthen cybersecurity measures by regularly updating and patching software systems, conducting penetration testing, and implementing robust firewalls and intrusion detection systems.
Educate employees about the risks of phishing attacks and social engineering techniques, emphasizing the importance of not sharing sensitive information or clicking on suspicious links.
Implement multi-factor authentication methods for accessing critical systems or conducting high-value transactions.
Establish strong partnerships with reputable third-party vendors and conduct due diligence to ensure their security practices align with your organization's standards.
Regularly monitor and analyze network traffic, log files, and system access logs to detect any unusual or unauthorized activities.
Educate customers on minimizing their fraud risk when using cards. There are certain things a cardholder can do to protect themselves from fraud, including:
- Avoid writing down their PIN or sharing sensitive information related to their card
- Only provide payment information with trusted sites and merchants
- Use more secure processing methods when possible such as Digital Wallets like Apple Pay™ or EMV chips. Magstripe or manually entering a PAN is generally not as secure.
- Locking cards when not in use
- Regularly monitoring transaction history and reporting fraud if they notice any unauthorized transactions

Force Capture and Overcapture Fraud

Force capture or overcapture fraud takes place when an individual intentionally manipulates or disrupts the payment capture process to obtain unauthorized funds. This can involve exploiting weaknesses in payment processing systems or abusing technical glitches.

In the world of debit card processing, force-capture is a method where a merchant captures an authorization that was previously marked as an authorization-only transaction. This means that the funds are immediately deducted from the customer’s account and transferred to the merchant’s account, bypassing the normal review and settlement process. Force capture is typically used when the customer’s authorization has expired or if there is a risk of the transaction being declined during the settlement process. This is generally applicable where the merchants have already provided the product or services (i.e. gas stations or restaurants). Here is an example scenario:

Example

An end customer opens a debit card at Bank X.

The same customer signs up for a subscription service like Netflix using the debit card.

On the second month of the subscription, the customer does not have funds to cover the Netflix fees.

The merchant (in this case Netflix) can force post the transaction even without capturing the authorization because it already rendered the product or service at issue.

More details on force capture are also available in FAQs linked at the end of this guide.

Force Capture and Overcapture Fraud Prevention Tools

For card programs, implement upfront controls including MCC code limits for merchants like restaurants and gas stations that have a higher ability to force post transactions.
Implement internal controls including transaction limits for certain payment rails including cards, ACH and wires.
Implement comprehensive transaction monitoring systems that can detect unusual payment patterns, discrepancies in transaction amounts, or repeated attempts to manipulate the payment capture process.
Conduct regular audits of payment processing systems and reconcile transaction records to identify any inconsistencies or irregularities.
Establish clear protocols for handling technical glitches or system errors to prevent unauthorized individuals from exploiting them for fraudulent purposes.
Implement real-time monitoring and alert systems that can immediately flag and investigate suspicious payment activities.
Provide ongoing training to employees involved in payment processing to enhance their awareness of potential fraud risks and encourage them to report any suspicious incidents promptly.

Fundamental behavioral checks such as velocity limits, deviation from historical activity, sudden spikes—basic indicators that traditional financial institutions have long relied on—can go far in detecting and mitigating fraudulent activity.

By implementing preventive measures either independently or using third-parties, you can significantly reduce the risks associated with various types of business fraud. It is crucial to stay proactive, adapt to emerging fraud trends, and continuously update and enhance fraud prevention strategies to protect both the organization's financial interests and your customers’ trust.

Metrics to Consider

As mentioned above, deviations from historical activity including sudden spikes can go far in detecting and mitigating fraudulent activity. Here are some metrics to consider tracking to prevent and catch fraud:

Proactive Metrics

Metric	Description
Sign-up Volume Monitoring	Monitor unexpected spikes or unusual patterns in sign-up volume, as it can indicate potential fraudulent activity on your platform. Pay special attention to unexpected upticks or post-marketing announcement surges as they can attract bad actors.
Account Access Controls	Track and analyze the usage of access controls, such as limiting faster payouts or ACH debit features to trusted customers. Assess the effectiveness of these controls in preventing fraudulent transactions.
Identity Verification Success Rate	Measure the success rate of your identity verification processes, such as Stripe Identity or KYC procedures, to ensure they effectively identify and authenticate legitimate customers.
Anomalous Behavior Detection	Implement systems to flag and monitor businesses that exhibit anomalous behavior, such as high-volume transactions without authorization or overcapture attempts. Measure the accuracy and effectiveness of these detection mechanisms.
Fraud Review Efficiency	Track the time required for manual fraud reviews for new customers or high-risk transactions. Aim to optimize the review process without compromising accuracy.
Duplicate Account Detection	Monitor the detection of duplicate account information associated with previously fraudulent customers, including financial account details, names with DOB, and tax information. Measure the success rate of identifying duplicate accounts.

Reactive Metrics

Metric	Description
Fraud Incident Response Time	Measure the time it takes to detect and respond to fraudulent incidents reported by customers. Aim for a swift response to minimize financial losses and customer impact.
Dispute Resolution Success Rate	Monitor the success rate of resolving fraud disputes, such as card disputes or ACH debit returns, in favor of your customers. Strive for a high rate of successful resolution to maintain customer trust.
Account Recovery Time	Measure the time it takes to restore access to an account that has been compromised or taken over by fraudsters. Aim for quick account recovery while ensuring proper verification procedures.
Fraud-related Financial Losses	Track the financial losses incurred due to fraudulent activities on your platform. Analyze trends and patterns to identify areas of vulnerability and take appropriate measures to mitigate losses.
False Positive Rate	Measure the rate of false positives in your fraud detection systems. Strive to minimize false positives to prevent inconvenience to legitimate customers while maintaining effective fraud prevention.
Customer Satisfaction	Monitor customer feedback, ratings, and reviews related to fraud prevention and response measures. Regularly assess customer satisfaction to identify areas for improvement and build trust in your fintech platform.

Remember, these metrics should be regularly reviewed, analyzed, and used to inform ongoing improvements in your fraud prevention and response strategies as a fintech organization.

Working with Third Party Partners

Treasury Prime works with a deep bench of top-tier third-party partners to power different services like KYC/KYB, transaction and fraud monitoring, card issuing, check issuing, ATM access, and more.

Fintechs who choose to work with our partner vendors will, in certain instances, go through due diligence and sign agreements or agree to terms with them as well. The partner bank has visibility into this process to ensure that every party has an understanding of how the fintech and its partner providers will operate.

While the Treasury Prime team has chosen some of the best players in their respective spaces, we understand that some fintechs may feel more comfortable with their own vendors. In this case, the Treasury Prime team will work with the fintech to streamline and facilitate the due diligence process.

Transaction Monitoring and KYC/KYB Partners

Treasury Prime has key partnerships with best-in-class RegTech (regulatory technology for managing regulatory compliance in the financial space) platforms for KYC/KYB and transaction monitoring. Treasury Prime’s compliance team will also work with bank partners to determine an appropriate rule set for fintechs’ transaction monitoring systems when needed.

Alloy, Unit21, and Sardine provide a number of third-party data sources that can be used for transaction monitoring. In addition to satisfying regulatory requirements, these tools will be critical in identifying and mitigating fraudulent activity.

Alloy for KYC and Transaction Monitoring

Alloy is used to perform Know Your Customer (KYC) and Know Your Business (KYB) evaluations on persons and businesses applying for accounts. Fintechs and banks can set up a custom workflow in Alloy to run whatever evaluations the bank/fintech would like them to run, and decide whether the person or business should be approved/declined/go into a manual review queue.

Treasury Prime has an integration with Alloy as part of onboarding workflows (applying for a new account) where we send Alloy information about the persons and/or business attached to an account application.

Unit21 for Transaction and Fraud Monitoring

Unit21 is a leading RegTech platform for transaction and fraud monitoring. Treasury Prime sends over payload and batch data to Unit21 daily so that banks can monitor transaction activity regularly and collaborate with their fintech clients when suspicious activity is identified.

Unit21 also provides investigative alert capabilities so that both bank partners and fintechs can quickly address any new issues. Bank partners can also allocate first-level alert resolution to its fintechs, who best understand whether flagged activity within the platform is risky or not. Simultaneously, bank partners maintain complete visibility into any underlying activity of all alerts.

Sardine for KYC and Transaction Monitoring

Sardine monitors behavior patterns and detects device irregularities to stop fraudsters before they create and fund their accounts. They also integrate proprietary Device Intelligence and Behavior Biometrics signals with phone, email, SSN, and documentary KYC from leading providers to offer global coverage, speed, and reliability.

By deploying advanced machine learning models to better assess chargeback risk and guard against fraudulent transactions, Sardine can detect atypical behaviors, instantly alerting customers to cancel suspicious transactions or block cards to prevent future losses.

Plaid Auth

Rather than handling account and routing numbers directly, customers can authenticate bank information using Plaid integration and pass a processor token to Treasury Prime that represents the account and routing numbers. Plaid acts as an additional check mechanism to verify the person trying to access the account is who they say they are, which filters out more fraudulent users.

More information on how to get started: https://plaid.com/docs/auth/partnerships/treasury-prime/

Treasury Prime Fraud Prevention Features

Outside of third-party support, preventative measures can also be enabled through the Treasury Prime platform including card controls, ACH controls, and customized hold times.

We are continually updating our API and tools. Don’t see what you are looking for? We love client feedback! Reach out to your Treasury Prime point of contact and let us know.

CARD AUTH LOOP ENDPOINT

If you want more granular control of what transactions to approve or deny, you can include yourself in the authorization loop of card transactions. This allows you to approve or decline individual card transactions based on your own custom business logic.

CARD ADDRESS VERIFICATION

Treasury Prime can enable address verification on your Card Products of choice. When this is enabled, the street address, zip (or both depending on what is enabled) will be checked against what the merchant submits through the network. If there is not a match the authorization will be declined.

CARD CONTROLS

Card control configuration objects allow you to apply customizable spending restrictions on individual cards that you issue. These controls include:

Merchant Restrictions

The merchant_restriction card control type enables you to allow or disallow the use of a Card or Card Product at specific categories of merchants.

When a merchant restriction is created to allow certain merchant category codes (MCCs) or merchant IDs (MIDs), only transactions at vendors listed with those MCCs or MIDs in the card network will be approved. All other transactions will be declined. The call must have an array of MCCs or MIDs passed, or a combination of the two.

Spend Velocity Restrictions

The spend_limit card control type allows you to configure a maximum spending amount within a timeframe (e.g. no more than $1000 in authorized transactions within a 24 hour period).

Withdrawal Velocity restrictions

The withdrawal_limit card control type allows you to configure a maximum dollar amount for ATM withdrawals within a timeframe (e.g. not more than $400 in ATM transactions within a 24 hour period).

Upcoming features

Note: These functions are meant to be representative of what is in active development. They are not meant to be definitive descriptions or definitions. We look forward to providing more detail as launch approaches.

CUSTOMIZED ACH HOLD TIMES

Customizable ACH hold times for fintechs will allow more customization of how long Treasury Prime holds funds received through Automated Clearing House (ACH) transactions before they are made available for withdrawal or use.

When a user receives money electronically through our platform, Treasury Prime sometimes has to put a temporary hold on those funds to ensure the transaction is legitimate and secure. Customizable hold times mean setting different durations based on factors like the type of transaction, the credibility of the sender, the amount of money involved, and user transaction history.

These customizable hold times will help strike a balance between providing quick access to funds and preventing fraud. For example, if your user receives a large sum of money from an unfamiliar source, you may choose to hold the funds for a bit longer to verify that the transaction is legitimate and protect yourself from potential fraud.

By tailoring the hold times, you will be able to make more informed decisions about when the funds will become available to your account holder. This flexibility helps ensure the security of your transactions while minimizing the risk of fraudulent activities.

In Closing

It is essential for fintechs to stay vigilant and proactive in combating business fraud. This involves continuously evaluating and strengthening internal controls, investing in advanced fraud detection technologies, fostering a culture of fraud awareness and reporting, and staying updated on the latest fraud trends and prevention techniques.

By prioritizing fraud prevention and mitigation strategies using additional controls and third-party tools, you can safeguard your business interests and maintain customer trust.

Additional Resources

Interested in more perspectives on Compliance?

Fraud is constantly evolving and staying one step ahead is key. As discussed during our compliance webinar, there are a myriad of ways for fintechs to approach compliance. Technology helps by bridging the gap between what banks require as regulated institutions and what fintechs need for optimum experience.

Our webinar gives top compliance insights from several different perspectives, including those of fintechs, banks, and modern compliance tool partners. Our panelists included:

Moderator: Sheetal Parikh, Assc. General Counsel & VP of Compliance, Treasury Prime
Emily Reisig, SVP, Innovation Development Manager, Emprise Bank
Jeremie Beaudry, Manager of Strategic Accounts, Unit21
Aditi Shekar, Founder and CEO, Zeta
Natasha Vernier, Co-Founder and CEO, Cable

ℹ️
FAQ and other Enterprise Compliance Toolkit docs are available to all live Treasury Prime customers.